Trouble in Paradise as Cyber Attackers Circumvent 2FA

Two-Factor Authentication (2FA) has for years been one of the very dependable security technologies that was invoked to address high-risk scenarios -- whether to safeguard enterprise resources accessed through the firewall, financial accounts, or -- for high-value targets -- protect each email login. Most people, to the extent that they spend time thinking about the security of 2FA, conclude -- incorrectly -- that 2FA offers bullet proof security for authentication.

While 2FA is a big step above and beyond the use of traditional passwords, it is not infallible, and thinking so makes the risk of failure even greater. In a recent publication, some of my research collaborators and I demonstrated that attackers can achieve a greater than 50% success rate using a social engineering attack on Google’s SMS-based 2FA. This attack is based on an attacker coordinating a request, made to the victim, for a code with an access attempt to a resource that requires a code. Password reset is an example: the attacker would request a password reset on behalf of a victim, which results in the victim getting a security code from a service provider. Then, the attacker sends a request to the victim, appearing to come from the service provider, asking for the code. Most people responded with the code, which enables the attacker to reset their password. This is very troublesome.

However, the same article also described easy changes that can be made -- by Google as well as any other service provider offering or relying on 2FA -- that brings down the success rate from above 50% to below 10%. Now, I am not saying that pushing the risk down below 10% is reason for celebration. After all, that means that an attacker would only have to launch the attack against seven prospective victims in an organization to once again get the success rate up above 50%.

In fact, a leaked top secret document suggests that is exactly what seems to have happened in the 2016 Russian attack against VR Systems, a Florida-based vendor of electronic voting services and equipment. VR systems was targeted using a sophisticated spear-phishing email attack in which social engineering methods were used to circumvent 2FA.

In addition to being vulnerable to social engineering, SMS-based 2FA technologies have recently been shown to be vulnerable to attacks in which SMS messages are routed away from a victim device, using a publicized weakness in a mobile security technology referred to as SS7.

Therefore, it is critical to shore up 2FA security and to fix vulnerable mobile security protocols. There are solutions today such as Google’s “Security Key” which addresses the weaknesses described above. But such solutions will require many years to become ubiquitous, so it is equally important -- if not more important -- for organizations to protect themselves against targeted attacks, including spear phishing. The alternative is as clear as it is undesirable: dramatically rising account take-over rates.

Account take-overs, historically speaking, have been used by criminals to access -- and empty -- financial accounts. Increasingly, these attacks are used in a much more sinister manner, though. Only last year, we witnessed a whole range of politically motivated attacks, the probably most well-known being the Podesta phish, in which sensitive data was leaked and later published.

However, there are many other instances. In the VR Systems attack, attackers mounted a two-phase attack. In the first phase, they compromised accounts within the election service provider, and exfiltrated among other things customer lists with email addresses. In the second phase, these customers -- namely representatives of individual precincts -- were targeted. It is not known how many were compromised.

In yet other politically motivated attacks, such as those on non-governmental organizations (NGOs) the day after the presidential election, members of left-leaning organizations were targeted with malware, attempting to take over not just their email accounts, but their computers. Similar attacks, although much less publicized, were carried out against thousands of U.S. enterprises. The goal in these attacks was not influence, but money; the technical approaches, however, were the same.

There is more than one reason why account take-overs are becoming more common. As the examples above show, accounts are a source of intelligence. They are also a source of influence: an attacker who has compromised a prominent email account can harvest all the contacts of the victim, along with context useful to target the contacts -- and then, send deceptive messages from the corrupted account to selected contacts, on relevant topics, and with suitable payloads. If any of the contacts were to respond to the attack messages, automated rules installed by the attacker can take those messages -- but no other messages -- and forward them to an account owned by the attacker and then remove them from the inbox of the launchpad account.

But that is not all. Another important reason why account take-overs are on the rise is that an email from a compromised account -- sent to a contact of the victim -- almost certainly will be delivered. Almost all security countermeasures immediately identify an email from a contact as a safe email -- and have no capability of detecting that the email came from a corrupted account. But this can be done -- for example, by automatically scrutinizing the Mail User Agent (MUA), which is part of the headers of an email, competent security technologies can identify discrepancies from the historical MUAs associated with this account, which is indicative of an account take-over.

There are several important conclusions we can draw from this. One is that email is increasingly the tool of choice for attackers, whether we are speaking of national security or enterprise security. Another is that while it is well understood that user awareness is an imperfect solution, many people incorrectly believe that 2FA is the perfect solution. It is a good security measure, but is vulnerable to social engineering attacks, like so many other technologies. The best way, one must conclude, is to keep malicious emails out of the inbox. This ought to be the industry focus.

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security.
Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups – ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master’s degrees from both the University of California, San Diego and Lund University in Sweden.